Author Topic: Licat/Murofet/Zeus 2.1  (Read 5607 times)

0 Members and 1 Guest are viewing this topic.

October 07, 2010, 08:58:44 am
Read 5607 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 08, 2010, 04:15:54 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 12, 2010, 03:34:48 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 15, 2010, 03:59:35 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 18, 2010, 04:56:43 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 18, 2010, 08:08:57 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 20, 2010, 05:11:28 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
New capabilities of Zeus 2.1
http://www.net-security.org/malware_news.php?id=1501
Quote
New capabilities in Zeus 2.1 include:

URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus's configuration to define targets. For example, Zeus can now target all URLs that start with “https” and then zero in on those that contain specific digits and keywords. Earlier Zeus versions had a primitive regular expression implementation which provided very little flexibility in specifying target URLs.

The injection mechanism (Zeus’s main “work horse”) now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. It can target individual web pages with elaborate injections, while not injecting into other pages. This surgical injection method creates more convincing pages and can target more banks using a single attack.

Zeus now has a fine-grained "grabbing" mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the C&C host. The grab mechanism provides an efficient way of collecting user data (such as account balance), as opposed to the cumbersome and wasteful way (supported by earlier Zeus variants) of having to copy the full page.

As other researchers have already pointed out Zeus 2.1 completely changed the way it communicated with its Command &Control (C&C) servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme.

Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients.
Ruining the bad guy's day

November 21, 2011, 06:55:27 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day